Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (246021 => 246022)
--- trunk/Source/_javascript_Core/ChangeLog 2019-06-02 12:25:15 UTC (rev 246021)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-06-02 20:02:00 UTC (rev 246022)
@@ -1,3 +1,26 @@
+2019-06-02 Keith Miller <keith_mil...@apple.com>
+
+ Reenable Gigacage on ARM64.
+ https://bugs.webkit.org/show_bug.cgi?id=198453
+
+ Reviewed by Filip Pizlo.
+
+ This patch adds back Gigacaging on Apple's ARM64 ports. Unlike the
+ old Gigacage however, arm64e uses both Gigacaging and PAC. Since
+ Gigacaging would otherwise strip a PAC failed authenticate bit we
+ force a load of the pointer into some garbage register.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
+ (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+ (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr):
+ (JSC::FTL::DFG::LowerDFGToB3::caged):
+ * jit/AssemblyHelpers.h:
+ (JSC::AssemblyHelpers::cageConditionally):
+ * llint/LowLevelInterpreter64.asm:
+
2019-06-02 Tadeu Zagallo <tzaga...@apple.com>
CachedMetadataTable::decode leaks empty tables
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (246021 => 246022)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-06-02 12:25:15 UTC (rev 246021)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-06-02 20:02:00 UTC (rev 246022)
@@ -2873,7 +2873,7 @@
TrustedImm32(WastefulTypedArray));
JITCompiler::Jump hasNullVector;
-#if !GIGACAGE_ENABLED && CPU(ARM64E)
+#if CPU(ARM64E)
{
GPRReg scratch = m_jit.scratchRegister();
DisallowMacroScratchRegisterUsage disallowScratch(m_jit);
@@ -2882,7 +2882,7 @@
m_jit.removeArrayPtrTag(scratch);
hasNullVector = m_jit.branchTestPtr(MacroAssembler::Zero, scratch);
}
-#else // !GIGACAGE_ENABLED && CPU(ARM64E)
+#else // CPU(ARM64E)
hasNullVector = m_jit.branchTestPtr(
MacroAssembler::Zero,
MacroAssembler::Address(base, JSArrayBufferView::offsetOfVector()));
@@ -6719,6 +6719,14 @@
void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg)
{
+#if CPU(ARM64E)
+ m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg);
+ m_jit.loadPtr(storageReg, m_jit.scratchRegister());
+#else
+ UNUSED_PARAM(baseReg);
+ UNUSED_PARAM(storageReg);
+#endif
+
#if GIGACAGE_ENABLED
UNUSED_PARAM(baseReg);
if (!Gigacage::shouldBeEnabled())
@@ -6732,11 +6740,6 @@
}
m_jit.cage(Gigacage::Primitive, storageReg);
-#elif CPU(ARM64E)
- m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg);
-#else
- UNUSED_PARAM(baseReg);
- UNUSED_PARAM(storageReg);
#endif
}
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (246021 => 246022)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-06-02 12:25:15 UTC (rev 246021)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-06-02 20:02:00 UTC (rev 246022)
@@ -6463,7 +6463,7 @@
m_out.int64Zero,
m_heaps.typedArrayProperties);
-#if !GIGACAGE_ENABLED && CPU(ARM64E)
+#if CPU(ARM64E)
{
LValue sizePtr = m_out.zeroExtPtr(size);
PatchpointValue* authenticate = m_out.patchpoint(pointerType());
@@ -14108,9 +14108,12 @@
PatchpointValue* authenticate = m_out.patchpoint(pointerType());
authenticate->appendSomeRegister(ptr);
authenticate->append(size, B3::ValueRep(B3::ValueRep::SomeLateRegister));
+ authenticate->numGPScratchRegisters = 1;
authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
jit.move(params[1].gpr(), params[0].gpr());
jit.untagArrayPtr(params[2].gpr(), params[0].gpr());
+ // Force a load to check authentication. before it is cleared by Gigacaging later.
+ jit.loadPtr(params[0].gpr(), params.gpScratch(0));
});
return authenticate;
#else
@@ -14135,6 +14138,16 @@
LValue caged(Gigacage::Kind kind, LValue ptr, LValue base)
{
+#if CPU(ARM64E)
+ if (kind == Gigacage::Primitive) {
+ LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length);
+ ptr = untagArrayPtr(ptr, size);
+ }
+#else
+ UNUSED_PARAM(kind);
+ UNUSED_PARAM(base);
+#endif
+
#if GIGACAGE_ENABLED
UNUSED_PARAM(base);
if (!Gigacage::isEnabled(kind))
@@ -14165,17 +14178,6 @@
// and possibly other smart things if we want to be able to remove this opaque.
// https://bugs.webkit.org/show_bug.cgi?id=175493
return m_out.opaque(result);
-#elif CPU(ARM64E)
- if (kind == Gigacage::Primitive) {
- LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length);
- return untagArrayPtr(ptr, size);
- }
-
- return ptr;
-#else
- UNUSED_PARAM(kind);
- UNUSED_PARAM(base);
- return ptr;
#endif
}
Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.h (246021 => 246022)
--- trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2019-06-02 12:25:15 UTC (rev 246021)
+++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2019-06-02 20:02:00 UTC (rev 246022)
@@ -1571,6 +1571,18 @@
void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratchOrLength)
{
+#if CPU(ARM64E)
+ if (kind == Gigacage::Primitive) {
+ untagArrayPtr(scratchOrLength, storage);
+ // Force a load to trap on authentication failure. storage shouldn't be null here.
+ loadPtr(storage, scratchOrLength);
+ }
+#else
+ UNUSED_PARAM(kind);
+ UNUSED_PARAM(storage);
+ UNUSED_PARAM(scratchOrLength);
+#endif
+
#if GIGACAGE_ENABLED
if (!Gigacage::isEnabled(kind))
return;
@@ -1583,13 +1595,6 @@
andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage);
addPtr(scratchOrLength, storage);
done.link(this);
-#elif CPU(ARM64E)
- if (kind == Gigacage::Primitive)
- untagArrayPtr(scratchOrLength, storage);
-#else
- UNUSED_PARAM(kind);
- UNUSED_PARAM(storage);
- UNUSED_PARAM(scratchOrLength);
#endif
}
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (246021 => 246022)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2019-06-02 12:25:15 UTC (rev 246021)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2019-06-02 20:02:00 UTC (rev 246022)
@@ -434,10 +434,13 @@
macro loadCagedPrimitive(source, dest, scratchOrLength)
loadp source, dest
+ if ARM64E
+ untagArrayPtr scratchOrLength, dest
+ # Force a load to check PAC before we clear it below.
+ loadp [dest], scratchOrLength
+ end
if GIGACAGE_ENABLED
uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, dest, scratchOrLength)
- elsif ARM64E
- untagArrayPtr scratchOrLength, dest
end
end
Modified: trunk/Source/WTF/ChangeLog (246021 => 246022)
--- trunk/Source/WTF/ChangeLog 2019-06-02 12:25:15 UTC (rev 246021)
+++ trunk/Source/WTF/ChangeLog 2019-06-02 20:02:00 UTC (rev 246022)
@@ -1,3 +1,15 @@
+2019-06-02 Keith Miller <keith_mil...@apple.com>
+
+ Reenable Gigacage on ARM64.
+ https://bugs.webkit.org/show_bug.cgi?id=198453
+
+ Reviewed by Filip Pizlo.
+
+ * wtf/CagedPtr.h:
+ (WTF::CagedPtr::authenticatingLoad):
+ (WTF::CagedPtr::get const):
+ (WTF::CagedPtr::getMayBeNull const):
+
2019-05-31 Alex Christensen <achristen...@webkit.org>
URLParser::parseIPv6Host should properly parse 0's around compression
Modified: trunk/Source/WTF/wtf/CagedPtr.h (246021 => 246022)
--- trunk/Source/WTF/wtf/CagedPtr.h 2019-06-02 12:25:15 UTC (rev 246021)
+++ trunk/Source/WTF/wtf/CagedPtr.h 2019-06-02 20:02:00 UTC (rev 246022)
@@ -35,6 +35,18 @@
template<Gigacage::Kind passedKind, typename T, bool shouldTag = false, typename PtrTraits = DumbPtrTraits<T>>
class CagedPtr {
+#if CPU(ARM64E)
+ static void authenticatingLoad(T* ptr)
+ {
+ double result;
+ asm volatile("ldr %[out], [%[in]]"
+ : [out] "=&r"(result)
+ : [in] "r"(ptr) :);
+ }
+#else
+ static void authenticatingLoad(T*) { }
+#endif
+
public:
static constexpr Gigacage::Kind kind = passedKind;
@@ -52,8 +64,10 @@
{
ASSERT(m_ptr);
T* ptr = PtrTraits::unwrap(m_ptr);
- if (shouldTag)
+ if (shouldTag) {
ptr = untagArrayPtr(ptr, size);
+ authenticatingLoad(ptr);
+ }
return Gigacage::caged(kind, ptr);
}
@@ -60,8 +74,11 @@
T* getMayBeNull(unsigned size) const
{
T* ptr = PtrTraits::unwrap(m_ptr);
- if (shouldTag)
+ if (shouldTag) {
ptr = untagArrayPtr(ptr, size);
+ if (ptr)
+ authenticatingLoad(ptr);
+ }
return Gigacage::cagedMayBeNull(kind, ptr);
}
Modified: trunk/Source/bmalloc/ChangeLog (246021 => 246022)
--- trunk/Source/bmalloc/ChangeLog 2019-06-02 12:25:15 UTC (rev 246021)
+++ trunk/Source/bmalloc/ChangeLog 2019-06-02 20:02:00 UTC (rev 246022)
@@ -1,3 +1,12 @@
+2019-06-02 Keith Miller <keith_mil...@apple.com>
+
+ Reenable Gigacage on ARM64.
+ https://bugs.webkit.org/show_bug.cgi?id=198453
+
+ Reviewed by Filip Pizlo.
+
+ * bmalloc/Gigacage.h:
+
2019-05-30 Don Olmstead <don.olmst...@sony.com>
[CMake] Add WEBKIT_FRAMEWORK_TARGET macro
Modified: trunk/Source/bmalloc/bmalloc/Gigacage.h (246021 => 246022)
--- trunk/Source/bmalloc/bmalloc/Gigacage.h 2019-06-02 12:25:15 UTC (rev 246021)
+++ trunk/Source/bmalloc/bmalloc/Gigacage.h 2019-06-02 20:02:00 UTC (rev 246022)
@@ -34,7 +34,8 @@
#include <cstddef>
#include <inttypes.h>
-#if ((BOS(DARWIN) || BOS(LINUX)) && BCPU(X86_64))
+#if ((BOS(DARWIN) || BOS(LINUX)) && \
+ (BCPU(X86_64) || (BCPU(ARM64) && !defined(__ILP32__) && (!BPLATFORM(IOS_FAMILY) || BPLATFORM(IOS)))))
#define GIGACAGE_ENABLED 1
#else
#define GIGACAGE_ENABLED 0
